Nearly half of participants in a study designed to test social media literacy failed to correctly identify AI-generated bot accounts more often than they misidentified real human users - a result that challenges the widespread assumption that digital experience translates into digital discernment. The experiment, conducted by cybersecurity firm Surfshark in collaboration with a master's-level research program at Malmö University, drew on responses from 710 participants. Only 53 percent managed to correctly flag bots at a rate that exceeded their false-positive errors on human accounts, leaving 47 percent who could not clear that baseline threshold at all.
The Confidence Gap That Makes Bots Dangerous
What makes this finding particularly sobering is the population it describes. The participants were not casual, infrequent users stumbling through social platforms. They were people who, by their own assessment, considered themselves knowledgeable and alert when it comes to online behavior. That self-perception - confident, experienced, skeptical - is precisely the psychological profile most likely to underestimate a threat. When people believe they would recognize manipulation, they are less likely to pause and question it.
This dynamic is not new in security research. The same pattern appears in phishing susceptibility studies, where individuals who score highest on self-reported awareness sometimes perform no better than average users when faced with well-crafted deceptive content. The problem is not a lack of general knowledge. It is that the threat itself has become sophisticated enough to defeat pattern recognition trained on older, cruder versions of the same deception.
Why Modern Bots Are Harder to Detect
The bot accounts of five or six years ago were often distinguishable by specific, consistent tells: irregular posting schedules, generic profile photographs, awkward phrasing, absence of personal history, and comment threads that seemed disconnected from context. Detecting them required attention but not expertise. The situation has shifted substantially.
Large language models now produce text that is contextually appropriate, tonally varied, and grammatically fluent across multiple registers - formal and casual, empathetic and contentious, depending on what a given conversation requires. Profile generation tools can produce synthetic photographs indistinguishable from real ones. Behavioral automation has become subtle enough to mimic the irregular rhythms of genuine human posting. The result is a category of account that passes visual and linguistic inspection without triggering the intuitive alarms most users rely on.
Social platforms compound the problem. Engagement metrics - likes, shares, follower counts, comment volume - function as social proof signals that users unconsciously treat as credibility indicators. A bot operating within a coordinated network can accumulate those signals artificially, presenting a surface that looks, by every visible measure, like a well-established human presence.
The Broader Stakes for Information and Trust
The implications extend well beyond personal embarrassment at having been fooled. Bot networks operating at scale have been documented in the context of political influence operations, health misinformation campaigns, and coordinated harassment. When even informed users cannot reliably distinguish automated accounts from real ones, the social infrastructure of trust on which online discourse depends begins to erode in ways that are difficult to measure and harder to reverse.
There is also a data privacy dimension. Bot accounts are frequently deployed not merely to spread content but to gather it - engaging real users in conversation to extract behavioral signals, personal preferences, or identifying information that can be aggregated, sold, or used to build targeting profiles. A user who believes they are interacting with a person is far more likely to respond with candor than one who suspects an automated system is on the other end of the exchange.
Regulatory frameworks have begun to engage with this problem, though unevenly. The European Union's Digital Services Act includes provisions requiring platforms to take measures against inauthentic automated behavior, and large platforms operating in the EU are subject to transparency and accountability obligations that did not exist a few years ago. Enforcement, however, remains patchy, and the speed of development in AI-generated content continues to outpace the regulatory response.
What Awareness Actually Requires Now
The Surfshark experiment serves as a practical reminder that digital literacy frameworks built around older threat models need updating. Recognizing a bot today is less about spotting surface-level errors and more about applying a different kind of critical scrutiny: examining whether an account has a coherent, longitudinal social history; whether its engagement patterns seem organic across time; whether the content it produces serves an identifiable agenda; and whether it appears in coordinated clusters with other accounts amplifying the same material.
None of those checks are foolproof. Some will produce false results in both directions. But the study's findings suggest that relying on instinct and self-confidence - the dominant strategy among people who consider themselves internet-savvy - is no longer adequate. The standard for skepticism has to rise alongside the standard of the deception it is meant to counter.
